diff options
| author | Joey Hess <joey@kitenet.net> | 2014-03-31 15:52:40 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2014-03-31 15:52:40 -0400 |
| commit | a5b739af6d20312d47ab75a63bc4fbfd847b65a6 (patch) | |
| tree | 7e49ff76eb5c38ea76ad06eea1a20a8c51446b52 /README | |
| parent | eb90a409d5428152801339ed0da5fab9688ddef4 (diff) | |
out of band keyring transfer is not necessary, since repo is cloned securely
Diffstat (limited to 'README')
| -rw-r--r-- | README | 6 |
1 files changed, 1 insertions, 5 deletions
@@ -54,7 +54,7 @@ for available fields. It's often easiest for a remote host to use a git:// or http:// url to its origin repository, rather than ssh://. So, to avoid a MITM -attack, propellor checks that the top commit in the git repository is gpg +attack, propellor checks that any commit it fetched from origin is gpg signed by a trusted gpg key, and refuses to deploy it otherwise. This is only done when privdata/keyring.gpg exists. To set it up: @@ -62,8 +62,4 @@ This is only done when privdata/keyring.gpg exists. To set it up: gpg --gen-key # only if you don't already have a gpg key propellor --add-key $MYKEYID -The keyring.gpg can be checked into git, but to ensure that it's -used from the beginning when bootstrapping, propellor --spin -transfers it to the host using ssh. - [1] http://reclass.pantsfullofunix.net/ |